Audit Report Details

  • Site conducted:

  • Conducted on:

  • Prepared by:

  • Location:

Auditees

    Auditees:
  • Full Name:

  • Job Title:

Audit Scope

  • Audit Scope:

Audit Findings:

Assessment Findings and Results:

4.1 understanding the organisation and its context

  • Notes for the Auditor:
    Review the organisation's strategic documents, policies, and procedures to verify alignment with identified internal and external issues.
    Check for any recent changes in the external or internal environment that the organisation has addressed.
    Interview key personnel to understand how they perceive and respond to these issues.
    Ensure that the organisation’s approach to understanding its context is not just a one-time activity but an ongoing process.

Determination of External and Internal Issues

  • Has the organisation identified and documented the external issues relevant to its purpose and strategic direction?

  • Consider legal, technological, competitive, market, cultural, social, and economic environments.
    Examples: Are there records of identified external issues? Is there a process for identifying these issues?

  • Has the organisation identified and documented the internal issues relevant to its purpose and strategic direction?

  • Consider values, culture, knowledge, and performance of the organisation.
    Examples: Are there records of identified internal issues? Is there a process for identifying these issues?

Relevance to Strategic Direction

  • Do the identified internal and external issues align with the organisation's strategic direction?

  • Examples: How does the organisation ensure these issues are relevant? Are strategic objectives influenced by these identified issues?

Monitoring and Review

  • Does the organisation have a process in place to monitor and review external issues?

  • Consider how often these issues are reviewed and who is responsible.
    Examples: Are there records of regular reviews? How are changes in external context captured and addressed?

  • Does the organisation have a process in place to monitor and review internal issues?

  • Consider how often these issues are reviewed and who is responsible.
    Examples: Are there records of regular reviews? How are changes in internal context captured and addressed?

Integration with Quality Management System (QMS)

  • How does the organisation ensure that identified external and internal issues are integrated into the Quality Management System (QMS)?

  • Examples: Are the identified issues reflected in the QMS objectives, policies, or procedures?

Documentation and Evidence

  • Is there documented evidence of the identification, monitoring, and review of external and internal issues?

  • Examples: Are these documents up to date and accessible? Is there a responsible person or team for maintaining these records?

Consideration of Positive and Negative Factors

  • Has the organisation considered both positive and negative factors or conditions when identifying external and internal issues?

  • Examples: Are risks and opportunities documented? Is there a balanced approach to identifying issues?

Stakeholder Involvement

  • Are relevant stakeholders involved in the identification and review of internal and external issues?

  • Examples: Who is consulted during this process? Is there evidence of stakeholder input?

Ongoing Process

  • Is the process for understanding the organisation’s context dynamic and ongoing?

  • Examples: How does the organisation adapt to changes in context? Is there evidence of continuous monitoring and adaptation?

4.2 - Understanding the Needs and Expectations of Interested Parties

  • Notes for the Auditor:

    Review records of communications, meeting minutes, and any other relevant documentation to verify that the organisation actively identifies and monitors the needs and expectations of interested parties.
    Conduct interviews with key personnel to understand how they contribute to identifying and meeting these needs and expectations.
    Assess the organisation's ability to adapt to changes in the requirements of interested parties and how these changes are reflected in the QMS.

Identification of Interested Parties

  • Has the organisation identified all interested parties that are relevant to the Quality Management System (QMS)?

  • Examples: Who are considered interested parties (e.g., customers, suppliers, regulators, employees)? Is there a list or document identifying these parties?

  • Has the organisation determined how each identified interested party is relevant to the QMS?

  • Examples: What criteria are used to assess relevance? Are different types of relationships (e.g., direct, indirect) considered?

Determination of Requirements

  • Has the organisation identified the needs and expectations of each relevant interested party that are applicable to the QMS?

  • Examples: Are customer expectations, regulatory requirements, and supplier needs clearly understood and documented?

  • How does the organisation ensure that the identified needs and expectations are aligned with statutory and regulatory requirements?

  • Examples: Are there processes in place to verify that these requirements are updated and complied with?

Monitoring and Review

  • Does the organisation monitor and review information regarding the identified interested parties on a regular basis?

  • Examples: How frequently are reviews conducted? Are there minutes or records of these reviews?

  • Is there a system in place to capture changes in the needs and expectations of interested parties?<br>

  • Examples: How does the organisation stay informed about changes in customer requirements or new regulatory obligations?

Documentation and Evidence

  • Has the organisation retained documented information that demonstrates an understanding of the needs and expectations of interested parties?

  • Examples: Are documents up to date? Are they easily accessible and properly controlled?

  • Is there evidence that the organisation has integrated the needs and expectations of interested parties into the QMS?

  • Examples: Are there records showing how these requirements influence policies, procedures, or processes within the QMS?

Integration with Quality Management System (QMS)

  • How does the organisation ensure that the needs and expectations of interested parties are consistently met through the QMS?

  • Examples: Are these needs and expectations reflected in quality objectives, process controls, or customer satisfaction measures?

Consideration of Potential Effects

  • Has the organisation considered how the needs and expectations of interested parties could affect its ability to consistently provide products and services that meet customer and statutory/regulatory requirements?

  • Examples: Are risk assessments or impact analyses conducted? Is there a documented approach to managing potential risks and opportunities?

Stakeholder Involvement

  • Are relevant stakeholders involved in the process of identifying and understanding the needs and expectations of interested parties?

  • Examples: Are there regular meetings or communications with stakeholders? Is stakeholder feedback documented and acted upon?

Ongoing Process

  • Is the process for understanding the needs and expectations of interested parties dynamic and ongoing?

  • Examples: How does the organisation adapt to changes in the context of interested parties? Is there a process for continuous monitoring and adaptation?

4.3 - Determining the Scope of the Quality Management System

  • Notes for the Auditor:

    Review the documented scope of the QMS, ensuring it accurately reflects the organisation’s operations, products, and services.
    Evaluate any exclusions of ISO 9001 requirements to ensure they are justified and do not compromise the effectiveness of the QMS.
    Interview key personnel to understand how the scope was determined and how it is maintained.
    Check if the organisation’s scope is clearly communicated to relevant interested parties and if it is regularly reviewed and updated.

Determination of Boundaries and Applicability

  • Has the organisation clearly defined the boundaries of its Quality Management System (QMS)?

  • Examples: Are specific departments, locations, or processes included or excluded? Is there clarity on what is covered by the QMS?

  • Has the organisation determined the applicability of the QMS to all areas within its scope?

  • Examples: How is applicability assessed? Are there any areas where the QMS is intentionally not applied?

Consideration of External and Internal Issues

  • When determining the scope of the QMS, has the organisation considered the external and internal issues identified in Clause 4.1?

  • Examples: Is there evidence that the identified issues (e.g., market conditions, internal capabilities) influence the scope of the QMS?

  • Are these considerations documented and reflected in the scope of the QMS?

  • Examples: Does the scope documentation refer to or integrate insights from the context of the organisation?

Consideration of Interested Parties’ Requirements

  • Has the organisation considered the requirements of relevant interested parties identified in Clause 4.2 when determining the scope of the QMS?

  • Examples: How are customer expectations, regulatory requirements, and other stakeholder needs considered in defining the scope?

  • Are these considerations documented and reflected in the scope of the QMS?

  • Examples: Is there a clear link between stakeholder needs and the scope as defined by the organisation?

Consideration of Products and Services

  • Has the organisation considered the products and services it provides when determining the scope of the QMS?

  • Examples: Are all products and services included in the scope? If not, is there a clear rationale for exclusions?

  • Is there a documented statement of the types of products and services covered by the QMS?

  • Examples: Does the scope document clearly list or describe the products and services? Is it up to date?

Applicability of ISO 9001 Requirements

  • Does the organisation apply all the requirements of ISO 9001 that are applicable within the determined scope?

  • Examples: Are there any clauses or requirements the organisation has determined as not applicable? If so, is there a justification?

  • Has the organisation justified any exclusions of ISO 9001 requirements within the QMS scope?

  • Examples: Are these justifications documented? Do they ensure that the exclusions do not compromise product/service conformity or customer satisfaction?

Documentation of the Scope

  • Is the scope of the QMS documented and maintained as required?

  • Examples: Where is the scope documented (e.g., quality manual, procedure)? Is it reviewed and updated as necessary?

  • Does the scope statement include the types of products and services covered by the QMS?

  • Examples: Is this information clearly communicated in the scope document?

  • Does the scope statement provide justification for any ISO 9001 requirements that are not applicable?

  • Examples: Is the justification reasonable and clearly articulated in the scope document?

Communication to Interested Parties

  • If requested, can the organisation provide interested parties with information about any ISO 9001 requirements that are not applicable to the scope of the QMS?

  • Examples: Are there records of such communications? Is the organisation prepared to justify its exclusions?

  • Is the organisation’s scope statement accessible to relevant interested parties?

  • Examples: Is the scope communicated through the organisation’s website, quality manual, or other means?

Review and Maintenance of Scope*

  • Does the organisation regularly review and update the scope of its QMS to reflect any changes in external/internal issues, interested parties' requirements, or its products/services?

  • Examples: How often is the scope reviewed? Is there a process for updating the scope document?

  • Is the organisation’s scope dynamic, reflecting changes in the context, interested parties, and product/service offerings?

  • Examples: Is there evidence of recent updates to the scope? How does the organisation ensure that the scope remains relevant?

4.4: Quality Management System and Its Processes

  • Notes for the Auditor:

    Review the organisation's process documentation, including process maps, flowcharts, and procedure manuals.
    Assess whether the processes are effectively controlled, monitored, and improved based on the criteria and methods set by the organisation.
    Check for evidence of risk management activities related to process performance and verify that responsibilities and authorities are clearly communicated and understood.
    Evaluate how the organisation handles and retains documented information to support process operation and compliance.
    Interview key personnel to understand their roles in managing and improving processes within the QMS.

Establishment and Implementation of the QMS

  • Has the organisation established a Quality Management System (QMS) that includes all necessary processes and their interactions?

  • Examples: Is there a documented overview of the QMS? Are all relevant processes identified and defined?

  • Is the QMS implemented throughout the organisation, covering all applicable areas?

  • Examples: Are there documented procedures and work instructions? How is the QMS communicated across the organisation?

Determination of Processes

  • Has the organisation determined all the processes needed for the QMS and their application throughout the organisation?

  • Examples: Are all processes mapped or flowcharted? Is there clarity on where each process applies within the organisation?

  • Has the organisation determined the inputs required and the outputs expected from these processes?

  • Examples: Are inputs and outputs clearly defined for each process? Are there documented process descriptions?

  • Has the organisation determined the sequence and interaction of these processes?

  • Examples: Is there a process flow diagram or interaction matrix? Is there clarity on how processes link and influence one another?

Criteria, Methods, and Performance Indicators

  • Has the organisation determined and applied the criteria and methods, including monitoring, measurements, and related performance indicators, to ensure effective operation and control of these processes?

  • Examples: Are KPIs established for each process? Are there records of process monitoring and measurement?

  • Are these criteria and methods documented and reviewed regularly?

  • Examples: Is there a process for updating criteria and methods as necessary? Are records maintained?

Resource Determination and Availability

  • Has the organisation determined the resources needed for each process and ensured their availability?

  • Examples: Are resources (e.g., personnel, equipment, materials) allocated as required? Is resource availability regularly reviewed?

Responsibilities and Authorities

  • Has the organisation assigned responsibilities and authorities for each process?

  • Examples: Are roles and responsibilities clearly defined and documented? How are employees made aware of their responsibilities?

Addressing Risks and Opportunities

  • Has the organisation identified and addressed the risks and opportunities related to each process in accordance with Clause 6.1?

  • Examples: Are there documented risk assessments? How are opportunities for improvement identified and acted upon?

Process Evaluation and Improvement

  • Does the organisation evaluate its processes and implement any changes needed to ensure they achieve their intended results?

  • Examples: Are process reviews conducted? Is there evidence of corrective actions and improvements?

  • Is there a process for continually improving the QMS and its processes?

  • Examples: Are continuous improvement activities documented? How are improvements tracked and verified?

Supporting Documented Information

  • Does the organisation maintain documented information to support the operation of its processes?

  • Examples: Are procedures, work instructions, and process maps up to date and accessible? Is there evidence that these documents are followed?

Documented Information for Confidence

  • Does the organisation retain documented information to have confidence that processes are being carried out as planned?

  • Examples: Are records maintained that demonstrate compliance with planned processes? Are audits and checks regularly performed?

  • Is this documented information reviewed and updated as necessary?

  • Examples: Are document control procedures in place? How frequently are documents reviewed for relevance and accuracy?

Requirements of Interested Parties

  • Has the organisation defined the extent of documented information required to meet the requirements of relevant interested parties as identified in Clauses 4.2 and 4.3?

  • Examples: Are stakeholder needs for documentation considered and documented? Is there evidence of communication with interested parties regarding documentation requirements?

  • Is the documented information maintained in a way that satisfies these requirements?

  • Examples: How is the documentation shared with or made available to interested parties? Are confidentiality and accessibility balanced effectively?

5.1.1: Leadership and Commitment - General

  • Notes for the Auditor:

    Review documented evidence of top management’s involvement in the QMS, such as meeting minutes, communications, and performance reviews.
    Interview top management to understand their role in establishing, maintaining, and improving the QMS.
    Verify that the quality policy and objectives are aligned with the organisation’s strategic goals and that they are communicated effectively across the organisation.
    Assess the level of resource allocation and support provided by top management for the QMS.

Accountability for the QMS

  • How does top management demonstrate accountability for the effectiveness of the Quality Management System (QMS)?

  • Examples: Are there records of top management reviews of the QMS? How does top management participate in addressing non-conformities or areas for improvement?

Establishment of Quality Policy and Objectives

  • Has top management ensured that the quality policy and quality objectives are established?

  • Examples: Is there a documented quality policy? Are quality objectives clearly defined and aligned with the organisation’s strategic direction?

  • Are the quality policy and objectives compatible with the context and strategic direction of the organisation?

  • Examples: Is there a documented quality policy? Are quality objectives clearly defined and aligned with the organisation’s strategic direction?

Promotion of Process Approach and Risk-Based Thinking

  • How does top management promote the use of the process approach within the organisation?

  • Examples: Are there documented process flows or maps? Is process effectiveness regularly reviewed and optimised?

  • How does top management promote risk-based thinking in the organisation?

  • Examples: Is there evidence of risk assessments being conducted? How are risks and opportunities identified and managed?

Provision of Resources

  • Has top management ensured that the resources needed for the QMS are available?

  • Examples: Are there sufficient personnel, training, equipment, and infrastructure? How is resource sufficiency reviewed?

Communication on Quality Management

  • How does top management communicate the importance of effective quality management and conforming to the QMS requirements?

  • Examples: Are there regular communications from top management regarding quality? How is this communication documented (e.g., emails, meetings)?

Achievement of Intended Results

  • How does top management ensure that the QMS achieves its intended results?

  • Examples: Are there performance reviews or KPIs related to QMS objectives? How are results measured and analysed?

Engagement and Support of Personnel

  • How does top management engage, direct, and support personnel to contribute to the effectiveness of the QMS?

  • Examples: Are there initiatives or programs to involve employees in quality improvement? How is feedback from employees on the QMS gathered and acted upon?

Promotion of Improvement

  • How does top management promote continual improvement within the organisation?

  • Examples: Are there specific goals or projects aimed at improving the QMS? How is progress towards these goals tracked?

Support for Other Management Roles

  • How does top management support other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility?

  • Examples: Are there meetings or forums where management roles collaborate on quality-related issues? How does top management empower others to take leadership in quality matters?

5.1.2: Leadership and Commitment - Customer Focus

  • Notes for the Auditor:

    Review documented evidence of how customer and regulatory requirements are captured, understood, and fulfilled by the organisation.
    Evaluate the effectiveness of the organisation's risk management process, particularly in relation to customer satisfaction.
    Assess how customer satisfaction is monitored, reported, and acted upon to ensure continuous focus and improvement.

Determination and Understanding of Customer and Regulatory Requirements

  • Has top management ensured that customer requirements are determined, understood, and consistently met?

  • Examples: How does the organisation capture and document customer requirements? Are there processes in place to regularly review and update these requirements?

  • Has top management ensured that applicable statutory and regulatory requirements are determined, understood, and consistently met?

  • Examples: How does the organisation stay informed about relevant regulations? Are there documented procedures to ensure compliance with statutory and regulatory requirements?

  • Is there evidence that these requirements (customer and regulatory) are communicated effectively throughout the organisation?

  • Examples: How are these requirements integrated into processes and communicated to relevant personnel? Are training and awareness programs in place?

Addressing Risks and Opportunities

  • Has top management ensured that the risks and opportunities that can affect the conformity of products and services are determined and addressed?

  • Examples: Are risk assessments conducted regularly? How are opportunities identified and incorporated into the QMS?

  • How does the organisation monitor and evaluate these risks and opportunities to ensure they are managed effectively?

  • Examples: Is there a risk management plan? Are there records showing how risks are mitigated and opportunities are pursued?

  • Are the actions to address risks and opportunities documented and reviewed periodically?

  • Examples: Is there a log or database of identified risks and opportunities? Are corrective actions or improvement projects documented?

Maintaining Focus on Customer Satisfaction

  • How does top management ensure that the focus on enhancing customer satisfaction is maintained?

  • Examples: Are customer satisfaction metrics tracked and reported? How does top management respond to trends in customer satisfaction data?

  • Is there evidence of continual improvement initiatives aimed at enhancing customer satisfaction?

  • Examples: Are there specific programs or projects focused on improving customer experience? How is feedback from customers collected and used?

  • How does the organisation ensure that all employees are aware of the importance of customer satisfaction and their role in achieving it?

  • Examples: Are there training sessions, workshops, or communications that emphasise customer focus? How is customer feedback shared within the organisation?

5.2.1: Establishing the Quality Policy

  • Notes for the Auditor:

    Review the documented quality policy to verify that it meets all the requirements outlined in Clause 5.2.1.
    Assess how the quality policy is communicated within the organisation and whether it is understood by relevant personnel.
    Evaluate the alignment between the quality policy, the organisation’s strategic direction, and the quality objectives.
    Look for evidence of the organisation’s commitment to satisfying requirements and continual improvement in practice, not just in policy.

Appropriateness of the Quality Policy

  • Has top management established a quality policy that is appropriate to the purpose and context of the organisation?

  • Examples: How does the quality policy reflect the organisation’s mission, vision, and values? Is there evidence that the policy considers internal and external factors influencing the organisation?

  • Does the quality policy support the organisation’s strategic direction?

  • Examples: How is the quality policy aligned with the organisation’s strategic objectives? Is there documentation showing how the policy guides decision-making at the strategic level?

Framework for Setting Quality Objectives

  • Does the quality policy provide a clear framework for setting quality objectives?

  • Examples: Are the quality objectives derived from or linked to the quality policy? Are there specific, measurable, achievable, relevant, and time-bound (SMART) objectives documented?

  • How does the organisation ensure that quality objectives are consistent with the quality policy?

  • Examples: Is there a documented process for setting and reviewing quality objectives? Are the objectives periodically reviewed to ensure alignment with the policy?

Commitment to Satisfying Applicable Requirements

  • Does the quality policy include a commitment to satisfy applicable requirements (e.g., customer, statutory, regulatory)?

  • Examples: How does the quality policy address compliance with customer and legal requirements? Is there evidence of this commitment being communicated and implemented across the organisation?

  • Is there evidence that this commitment is consistently applied and monitored throughout the organisation?

  • Examples: Are there records of compliance audits or reviews? How does the organisation ensure that all applicable requirements are identified and met?

Commitment to Continual Improvement

  • Does the quality policy include a commitment to the continual improvement of the Quality Management System (QMS)?

  • Examples: How is the commitment to continual improvement articulated in the quality policy? Are there documented initiatives or programs that demonstrate this commitment in action?

  • How does the organisation demonstrate that this commitment is being implemented and maintained?

  • Examples: Are there ongoing projects or processes aimed at improving the QMS? How is progress on continual improvement monitored and reported?

5.2.2: Communicating the Quality Policy

  • Notes for the Auditor:

    Review how the quality policy is documented and maintained, ensuring it is current and accessible.
    Assess the methods used to communicate the quality policy within the organisation, and verify that employees understand and apply it in their roles.
    Evaluate how the quality policy is made available to interested parties and whether this aligns with the organisation's context and needs.

Availability and Documentation of the Quality Policy

  • Is the quality policy available and maintained as documented information?

  • Examples: Is the quality policy documented and accessible? Is it part of the QMS documentation (e.g., within a quality manual, intranet, or document management system)?

  • How does the organisation ensure that the quality policy is kept up to date and relevant?

  • Examples: Is there a review process for the quality policy? Are changes to the policy documented and communicated?

Communication, Understanding, and Application within the Organisation

  • How is the quality policy communicated within the organisation?

  • Examples: Are there records of meetings, training sessions, or communications (e.g., emails, newsletters) that discuss the quality policy? Is the policy displayed in prominent locations, such as notice boards or the company intranet?

  • How does the organisation ensure that the quality policy is understood by all relevant personnel?

  • Examples: Are employees trained on the quality policy? Are there assessments, surveys, or interviews to verify understanding?

  • How does the organisation ensure that the quality policy is applied throughout the organisation?

  • Examples: Are there procedures or work instructions that reference the quality policy? Is there evidence that employees apply the principles of the quality policy in their daily activities?

Availability to Relevant Interested Parties

  • Is the quality policy available to relevant interested parties as appropriate?

  • Examples: How is the quality policy shared with interested parties such as customers, suppliers, regulators, or partners? Is the policy available on the company website, included in contracts, or provided upon request?

  • How does the organisation determine which interested parties should have access to the quality policy?

  • Examples: Is there a documented procedure or criteria for identifying relevant interested parties? How is the distribution of the quality policy managed and recorded?

5.3: Organisational Roles, Responsibilities, and Authorities

  • Notes for the Auditor:

    Review the organisation’s documentation related to roles, responsibilities, and authorities, ensuring that it aligns with the requirements of Clause 5.3.
    Assess the effectiveness of communication and understanding of these roles throughout the organisation by interviewing personnel at different levels.
    Verify that the assigned responsibilities are being carried out, particularly in areas related to QMS conformance, process performance, customer focus, and change management.

Assignment, Communication, and Understanding of Roles

  • Has top management ensured that the responsibilities and authorities for relevant roles are assigned?

  • Examples: Is there a documented organisational chart or role descriptions? Are specific responsibilities clearly assigned to individuals or teams?

  • How are the assigned responsibilities and authorities communicated within the organisation?

  • Examples: Are roles and responsibilities communicated through job descriptions, orientation sessions, or internal communications? Is there evidence that employees are informed of their roles?

  • How does the organisation ensure that these responsibilities and authorities are understood by relevant personnel?

  • Examples: Are there records of training sessions or meetings where roles and responsibilities are discussed? Are employees able to articulate their responsibilities when interviewed?

Ensuring QMS Conformance

  • Has top management assigned responsibility and authority for ensuring that the Quality Management System (QMS) conforms to the requirements of the International Standard?

  • Examples: Is there a designated person or team responsible for QMS compliance? How is this role documented and communicated?

  • How does the responsible person/team ensure that the QMS is conforming to the standard?

  • Examples: Are there regular audits, reviews, or assessments of the QMS? Is there evidence of corrective actions being taken when non-conformities are found?

Delivery of Intended Outputs

  • Has top management assigned responsibility and authority for ensuring that processes are delivering their intended outputs?

  • Examples: Who is responsible for monitoring process performance? Is there evidence that process outputs are regularly reviewed and measured against objectives?

  • How does the organisation monitor and evaluate the effectiveness of its processes?

  • Examples: Are there performance indicators, dashboards, or reports that track process outputs? How are deviations from intended outputs addressed?

Reporting on QMS Performance and Improvement Opportunities

  • Has top management assigned responsibility for reporting on the performance of the QMS and opportunities for improvement?

  • Examples: Is there a designated person or team responsible for QMS reporting? How are these responsibilities documented?

  • How is QMS performance reported to top management?

  • Examples: Are there regular management review meetings where QMS performance is discussed? Are there reports or presentations that highlight key performance metrics and improvement opportunities?

  • How does the organisation identify and report opportunities for improvement in the QMS?

  • Examples: Are there documented processes for continuous improvement? How are improvement initiatives tracked and implemented?

Promotion of Customer Focus

  • Has top management assigned responsibility for ensuring the promotion of customer focus throughout the organisation?

  • Examples: Is there a designated person or team responsible for customer focus initiatives? How is customer focus embedded in the organisation’s culture?

  • How does the organisation promote customer focus across all levels and functions?

  • Examples: Are there training programs, awareness campaigns, or incentives that promote customer-centric behaviour? Is customer feedback integrated into decision-making processes?

Maintaining QMS Integrity During Changes

  • Has top management assigned responsibility for ensuring the integrity of the QMS when changes are planned and implemented?

  • Examples: Is there a change management process in place? Who is responsible for overseeing changes to the QMS, and how is this role communicated?

  • How does the organisation ensure that changes to the QMS do not compromise its integrity?

  • Examples: Are there documented procedures for evaluating the impact of changes? How are changes reviewed and approved?

Documentation of Roles, Responsibilities, and Authorities

  • Does the organisation maintain and retain documented information covering the responsibilities and authorities for relevant roles?

  • Examples: Are job descriptions, role profiles, or responsibility matrices documented and up-to-date? Is this documentation easily accessible to those who need it?

6.1: Actions to Address Risks and Opportunities

  • Notes for the Auditor:

    Review records of risk assessments, action plans, and evaluations to verify that the organisation is actively managing risks and opportunities.
    Conduct interviews with key personnel to understand their roles in risk identification and management.
    Assess the organisation’s ability to adapt to changes in risks and opportunities and how these are reflected in the QMS.

Consideration of Issues and Requirements

  • Has the organisation considered the external and internal issues identified in Clause 4.1 when determining risks and opportunities?

  • Examples: How are these issues documented? Are there records of regular reviews of these issues?

  • Has the organisation considered the requirements of relevant interested parties referred to in Clause 4.2 when determining risks and opportunities?

  • Examples: Are interested parties’ needs and expectations documented? Is there evidence of how these were factored into risk assessment?

Determination of Risks and Opportunities

  • Has the organisation identified the risks and opportunities that could impact the QMS’s ability to achieve its intended results?

  • Examples: Are there documented risk assessments? What methods are used to identify risks and opportunities?

  • Has the organisation identified risks that could prevent or reduce undesirable effects, and opportunities that could enhance desirable effects?

  • Examples: Are there documented evaluations of potential risks and opportunities? How does the organisation prioritise these?

Planning Actions to Address Risks and Opportunities

  • Has the organisation planned actions to address the identified risks and opportunities?

  • Examples: What action plans are in place? Are these actions documented and aligned with identified risks and opportunities?

  • Has the organisation planned how to integrate and implement these actions into its QMS processes (as per Clause 4.4)?

  • Examples: How are these actions integrated into existing processes? Is there evidence of successful implementation?

  • Has the organisation planned how to evaluate the effectiveness of the actions taken?

  • Examples: Are there monitoring and evaluation mechanisms in place? What indicators are used to measure effectiveness?

Proportionality and Appropriateness of Actions

  • Are the actions taken to address risks and opportunities proportionate to the potential impact on the conformity of products and services?

  • Examples: How does the organisation determine the proportionality of actions? Are there records showing this consideration?

  • Does the organisation apply risk treatments and opportunity realisation plans that are appropriate for the identified risks and opportunities?

  • Examples: What criteria are used to assess appropriateness? Are these treatments and plans documented?

Documentation and Evidence

  • Does the organisation maintain documented information to support the management of risks and opportunities?

  • Examples: Are there clear records of risk assessments, action plans, and evaluations? Is documentation easily accessible and controlled?

  • Is there evidence that the processes for managing risks and opportunities are being followed as planned?

  • Examples: Are there audit trails, logs, or other forms of evidence showing adherence to the processes?

Stakeholder Involvement

  • Are relevant stakeholders involved in the process of identifying and managing risks and opportunities?

  • Examples: How does the organisation ensure stakeholder engagement? Is stakeholder feedback documented and considered in risk management processes?

Ongoing Process

  • Is the process for managing risks and opportunities dynamic and ongoing?

  • Examples: How does the organisation adapt to changes in risks and opportunities? Is there a continuous monitoring and adaptation process in place?

6.2 - Quality Objectives and Planning to Achieve Them

  • Notes for the Auditor:

    Review records of quality objectives, action plans, and monitoring reports to verify that the organisation actively manages its quality objectives.
    Conduct interviews with key personnel to understand their roles in achieving and monitoring quality objectives.
    Assess the organisation’s process for updating and communicating quality objectives and how these updates are reflected in the QMS.

Establishment of Quality Objectives

  • Has the organisation established quality objectives at relevant functions, levels, and processes needed for the Quality Management System (QMS)?

  • Examples: Are there documented quality objectives for each relevant department? Are these objectives aligned with the overall strategy?

  • Are the quality objectives consistent with the quality policy?

  • Examples: How does the organisation ensure alignment between quality objectives and the quality policy? Is there evidence of this consistency?

  • Are the quality objectives measurable?

  • Examples: What metrics or KPIs are used to measure the achievement of quality objectives? Are these metrics documented and regularly reviewed?

  • Do the quality objectives take into account applicable requirements?

  • Examples: How does the organisation incorporate customer, regulatory, and statutory requirements into its quality objectives? Are there records showing this consideration?

  • Are the quality objectives relevant to the conformity of products and services and to the enhancement of customer satisfaction?

  • Examples: How are customer satisfaction and product conformity reflected in the quality objectives? Are objectives reviewed for continued relevance?

Monitoring and Communication of Quality Objectives

  • Are the quality objectives monitored?

  • Examples: How frequently are the quality objectives reviewed? Are there documented records of monitoring activities?

  • Are the quality objectives communicated within the organisation?

  • Examples: What methods are used to communicate quality objectives to employees? Is there evidence of this communication (e.g., meetings, newsletters)?

  • Are the quality objectives updated as appropriate?

  • Examples: How often are the quality objectives reviewed and updated? Are updates documented and communicated to relevant stakeholders?

Documentation of Quality Objectives

  • Does the organisation maintain documented information on the quality objectives?

  • Examples: Are there up-to-date documents that outline the quality objectives? How is this documentation controlled and accessed?

Planning to Achieve Quality Objectives

  • Has the organisation planned what will be done to achieve its quality objectives?

  • Examples: Are there specific action plans in place? Are these plans documented and aligned with the quality objectives?

  • Has the organisation determined what resources will be required to achieve the quality objectives?

  • Examples: How does the organisation identify and allocate resources (e.g., personnel, tools) needed for achieving objectives? Are resource requirements documented?

  • Has the organisation identified who will be responsible for achieving each quality objective?

  • Examples: Are roles and responsibilities clearly defined and documented? How is accountability ensured?

  • Has the organisation established timelines for when each quality objective will be completed?

  • Examples: Are there clear deadlines for each objective? How does the organisation ensure these deadlines are met?

  • Has the organisation planned how the results will be evaluated?

  • Examples: What methods are used to assess the success of the quality objectives? Is there a documented process for evaluating results?

6.3: Planning of Changes

  • Notes for the Auditor:

    Review documented procedures for managing changes to the QMS, including risk assessments, change plans, and communication records.
    Conduct interviews with personnel responsible for planning and implementing changes to understand how they manage and document these processes.
    Assess whether the organisation effectively maintains the integrity of the QMS during changes and how responsibilities are reallocated as part of the change process.

Identification and Planning of Changes

  • Has the organisation established a process to determine when changes to the Quality Management System (QMS) are needed?

  • Examples: What criteria or triggers does the organisation use to identify necessary changes to the QMS? Are there documented procedures for this process?

  • Are changes to the QMS carried out in a planned manner?

  • Examples: Is there a documented plan for each change that outlines the steps to be taken? How does the organisation ensure that changes are systematic and controlled?

Consideration of Change Impacts

  • Does the organisation consider the purpose of the changes and their potential consequences?

  • Examples: How does the organisation assess the impact of proposed changes on processes, products, or services? Are potential risks and benefits evaluated?

  • Does the organisation ensure the integrity of the QMS is maintained during and after changes?

  • Examples: What measures are in place to monitor the QMS during changes? How is continuity of compliance with ISO 9001 requirements ensured?

  • Does the organisation evaluate the availability of resources before implementing changes?

  • Examples: Are resource needs (e.g., personnel, equipment, time) assessed and allocated prior to initiating changes? Is there evidence of resource planning?

  • Does the organisation consider the allocation or reallocation of responsibilities and authorities during changes?

  • Examples: How does the organisation adjust roles and responsibilities to accommodate changes? Are these adjustments communicated and documented?

Management of Risks and Opportunities

  • Does the organisation manage risks and opportunities associated with proposed changes?

  • Examples: Are risk assessments conducted before implementing changes? How are opportunities identified and integrated into the change process?

Documentation and Control of Changes

  • Does the organisation maintain and retain documented information to manage the process of change?

  • Examples: Are change plans, risk assessments, and records of communication retained? How is this documentation controlled and reviewed?

7.1.1: General

  • Notes for the Auditor:

    Resource Availability: Check if the organisation has clearly documented the resources available and any gaps that need to be filled by external suppliers.
    Continuous Improvement: Verify that resource planning supports ongoing QMS improvements.

Resource Determination

  • Has the organisation determined the resources needed for the establishment, implementation, and continual improvement of the QMS?

  • Examples: Budget allocations for training, software, and infrastructure.

Internal and External Resources

  • Has the organisation considered the capabilities and constraints of existing internal resources and what needs to be obtained from external providers?

  • Examples: Internal resource audits, external supplier agreements.

7.1.2: People

  • Notes for the Auditor:

    Competency Management: Ensure the organisation has documented the qualifications and training of personnel required to maintain QMS effectiveness.
    Staffing Adequacy: Verify that staffing levels are appropriate for the scale and complexity of the QMS.

Sufficient Personnel

  • Has the organisation determined and provided the necessary personnel to effectively implement the QMS?

  • Examples: Staffing plans, competency matrices, hiring procedures.

7.1.3: Infrastructure

  • Notes for the Auditor:

    Preventive Maintenance: Confirm that risk-based maintenance practices are in place, such as preventive or predictive maintenance, to ensure infrastructure reliability.
    Documented Procedures: Ensure that all infrastructure processes are supported by documented procedures and that records of maintenance activities are retained.

Infrastructure Provision

  • Has the organisation determined, provided, and maintained the infrastructure necessary for process operation and product conformity?

  • Examples: Buildings, equipment, software, transportation resources.

Maintenance Records

  • Does the organisation maintain documented information of the infrastructure maintenance process, including monitoring and maintenance activities?

  • Examples: Maintenance logs, calibration records, monitoring systems.

Service-Related Infrastructure

  • For service-related infrastructure, has the organisation documented usage history, repairs, and modifications?

  • Examples: Inspection reports, spare part lists, technical requirements from manufacturers.

7.1.4: Environment for the Operation of Processes

  • Notes for the Auditor:

    Environmental Controls: Check that environmental controls (e.g., temperature, noise, safety conditions) are appropriate for product conformity and operational efficiency.
    Human Factors: Verify the organisation addresses human factors such as stress and workplace safety in maintaining a non-discriminatory, calm, and supportive work environment.

Suitable Environment

  • Has the organisation determined, provided, and maintained a suitable environment (both physical and human) for process operation and product conformity?

  • Examples: Climate control, noise reduction, ergonomic workstations, safe work environments.

7.1.5.1 Monitoring and Measuring Resources

  • Notes for the Auditor:

    Calibration Records: Ensure calibration records are recent and traceable to recognised standards.
    Maintenance Logs: Check for evidence that resources are maintained regularly to prevent equipment failure.
    Traceability: Verify that measuring equipment has clear traceability back to national or international standards, especially in critical measurements.
    Non-Conformance Procedures: Confirm the organisation has clear procedures for when measuring equipment is found non-compliant, including how they communicate this to customers.

Determination and Provision of Resources

  • Has the organisation determined and provided the necessary resources to ensure valid and reliable monitoring and measuring results?

  • Examples: Equipment procurement records, calibration equipment details, resource allocation plans.

Suitability of Resources

  • Are the resources provided suitable for the specific monitoring and measurement activities?

  • Examples: Calibration logs, equipment manuals, training documents for equipment operators.

Maintenance of Fitness for Purpose

  • Are resources maintained to ensure their continuing fitness for their purpose?

  • Examples: Maintenance records, inspection logs, performance review reports of measuring equipment.

Documented Information

  • Is documented information available as evidence of fitness for purpose for monitoring and measurement resources?

  • Examples: Calibration certificates, inspection checklists, maintenance reports.

7.1.5.2: Measurement Traceability

  • Notes for the Auditor:

    Calibration Records: Ensure calibration records are recent and traceable to recognised standards.
    Maintenance Logs: Check for evidence that resources are maintained regularly to prevent equipment failure.
    Traceability: Verify that measuring equipment has clear traceability back to national or international standards, especially in critical measurements.
    Non-Conformance Procedures: Confirm the organisation has clear procedures for when measuring equipment is found non-compliant, including how they communicate this to customers.

Calibration and Verification

  • Is the measuring equipment calibrated or verified at specified intervals, and is it traceable to national or international standards?

  • Examples: Calibration schedules, verification records, national standards certificates.

Identification of Equipment Status

  • Is the measurement equipment identified to determine its calibration or verification status?

  • Examples: Labelling or tagging of equipment, status logs, colour coding or digital tracking systems.

Safeguarding Equipment

  • Is the equipment safeguarded from adjustments, damage, or deterioration that would invalidate its status and results?

  • Examples: Protective cases, controlled storage areas, equipment handling procedures.

Action on Non-Conformance

  • Are documented actions taken when equipment is found unfit for its intended purpose, including any required customer notifications?

  • Examples: Incident reports, corrective action records, customer notification templates.

7.1.6: Organisational Knowledge

  • Notes for the Auditor:

    Knowledge Accessibility: Check whether the knowledge is readily accessible to employees and stakeholders who need it, especially during critical tasks.
    Knowledge Gaps: Verify that the organisation is actively identifying and addressing knowledge gaps, particularly in response to technological advances or market changes.
    Internal & External Knowledge Sources: Ensure there is a system for collecting and documenting knowledge from both internal and external sources, such as employee expertise and industry updates.
    Knowledge Sharing Mechanisms: Confirm that the organisation has mechanisms in place for sharing knowledge across departments or functions, such as regular training sessions or a shared knowledge repository.
    Review of Knowledge Systems: Check that the organisation's system for maintaining and acquiring knowledge is reviewed periodically to stay current with evolving business needs.

Knowledge Determination

  • Has the organisation determined the knowledge necessary for the operation of its processes and for achieving conformity of products and services?

  • Examples: Knowledge management systems, skills matrix, documented processes and procedures.

Knowledge Maintenance and Accessibility

  • Is this knowledge maintained and made available to the extent necessary?

  • Examples: Internal databases, training materials, access to subject matter experts.

Addressing Changing Needs and Trends

  • Has the organisation considered its current knowledge and how to acquire or access any additional knowledge in response to changing needs and trends?

  • Examples: Industry trend reports, continuous improvement initiatives, training and development plans.

Internal Sources of Knowledge

  • Does the organisation capture and share knowledge gained from internal sources such as intellectual property, experience, lessons learned, and improvements?

  • Examples: Internal audits, project post-mortems, R&D reports, lessons learned logs.

External Sources of Knowledge

  • Does the organisation capture and utilise knowledge gained from external sources such as standards, academia, conferences, customers, and external providers?

  • Examples: Conference notes, customer feedback records, industry standards subscriptions.

7.2: Competence

  • Notes for the Auditor:

    Competency Assessments: Ensure the organisation conducts regular competency assessments and that results are documented.
    Training Programs: Confirm that training programs are relevant to the employee’s role and that there is evidence of improvement or competence development.
    Risk-Based Competence: Verify that the level of competence required is aligned with the risk level of the tasks performed.

Competence Determination

  • Has the organisation determined the necessary competence of individuals performing work under its control that affects the performance and effectiveness of the QMS?

  • Examples: Competency frameworks, job role descriptions, skills gap analysis.

Competence on Education, Training, or Experience

  • Does the organisation ensure that individuals are competent based on appropriate education, training, or experience?

  • Examples: Employee qualifications, training records, professional certifications.

Competence Acquisition and Evaluation

  • Are actions taken to acquire necessary competence, and is the effectiveness of these actions evaluated?

  • Examples: Training programs, mentoring sessions, post-training evaluations.

Retention of Documented Competence Information

  • Does the organisation retain documented information as evidence of competence?

  • Examples: Competency evaluation forms, certificates of achievement, training records.

7.3: Awareness

  • Notes for the Auditor:

    Internal Communication: Check how the organisation communicates quality policies and objectives to staff at different levels.
    Employee Engagement: Verify whether employees understand their role in achieving quality objectives and the repercussions of non-conformance.
    Effectiveness of Awareness Programs: Confirm that the organisation has mechanisms in place to track the effectiveness of awareness programs, such as surveys or tests.

Awareness of Quality Policy

  • Are persons doing work under the organisation's control aware of the quality policy?

  • Examples: Quality policy communication materials, meeting minutes, training sessions.

Awareness of Quality Objectives

  • Are persons doing work aware of the relevant quality objectives?

  • Examples: Performance review records, goal-setting workshops, employee briefings.

Awareness of Contributions to QMS Effectiveness

  • Are employees aware of how their contributions affect the effectiveness of the QMS and the benefits of improved performance?

  • Examples: Performance appraisals, feedback sessions, team briefings.

Awareness of Non-conformance Implications

  • Are employees aware of the implications of not conforming with QMS requirements?

  • Examples: Non-conformance training materials, corrective action reports, policy communication.

7.4: Communication

  • Notes for the Auditor:

    Communication Strategy: Review the organisation’s communication strategy to ensure it is well-defined and includes all relevant parties.
    Frequency and Channels: Verify the frequency of communications and check that the chosen communication channels are effective for reaching all stakeholders.
    Communication Responsibilities: Confirm that communication responsibilities are assigned and documented, and that relevant personnel are aware of their roles.

Determining What to Communicate

  • Has the organisation determined what information is communicated internally and externally related to the QMS?

  • Examples: Communication strategy documents, QMS updates, meeting agendas.

Determining When to Communicate

  • Does the organisation have procedures to define when communication should occur?

  • Examples: Communication calendars, periodic updates, situational announcements.

Determining with Whom to Communicate

  • Has the organisation defined the internal and external stakeholders with whom it will communicate?

  • Examples: Stakeholder lists, contact directories, communication flow charts.

Determining How to Communicate

  • Has the organisation defined the methods it will use to communicate, both internally and externally?

  • Examples: Email systems, internal memos, external newsletters.

Determining Who Will Communicate

  • Has the organisation established roles and responsibilities for communication related to the QMS?

  • Examples: Job role descriptions, communication plans, designated spokespersons.

7.5.1: General

  • Notes for the Auditor:

    Consistency in Documentation: Ensure that the documented information aligns with the organisation's activities, processes, and services.
    Risk and Complexity: Check whether the level of documentation corresponds to the complexity of the processes and interactions within the organisation.

Documented Information Inclusion

  • Has the organisation included the documented information required by the ISO standard in its QMS?

  • Examples: Quality manuals, process flow charts, standard operating procedures.

Effectiveness Documentation

  • Has the organisation determined and documented the information necessary for the effectiveness of the QMS?

  • Examples: Evidence of performance, audit results, quality records.

7.5.2: Creating and Updating

  • Notes for the Auditor:

    Approval Processes: Verify that documented information is reviewed and approved by authorised personnel before release.
    Adequacy of Information: Ensure the documentation process includes checks for completeness, accuracy, and consistency.

Identification and Description

  • Does the organisation ensure that created and updated documented information is appropriately identified and described (title, date, reference number)?

  • Examples: Document templates, metadata, document control systems.

Format and Media

  • Has the organisation specified the format (language, software, graphics) and media (paper or electronic) for documented information?

  • Examples: Standardised formats for electronic files, clear file-naming conventions.

Review and Approval

  • Are review and approval processes in place for documented information to ensure suitability and adequacy?

  • Examples: Document review records, approval signatures, version control systems.

7.5.3: Control of Documented Information

  • Notes for the Auditor:

    Document Accessibility: Ensure that relevant documents are readily accessible to authorised personnel and that retrieval processes are efficient.
    Version Control: Confirm that the organisation maintains effective version control and that employees are aware of the latest version of documents.
    Retention Policies: Check if the organisation has clear retention policies in place and that these align with legal or regulatory requirements.

Availability and Suitability

  • Is documented information available and suitable for use where and when it is needed?

  • Examples: Accessible document repositories, real-time document updates, user access permissions.

Protection

  • Is documented information adequately protected from loss of confidentiality, improper use, or loss of integrity?

  • Examples: Data encryption, access controls, back-up protocols.

Control of Changes

  • Are changes to documented information controlled (e.g., version control)?

  • Examples: Version history logs, change request forms, updated document identifiers.

Retention and Disposition

  • Are documented information retention and disposition policies in place, ensuring that documents are kept or disposed of appropriately?

  • Examples: Retention schedules, archiving protocols, deletion processes.

Control of External Origin Documents

  • Has the organisation determined which documents of external origin are necessary for the operation of the QMS, and are they appropriately controlled?

  • Examples: Supplier manuals, regulatory standards, third-party reports.

8.1: Operational Planning and Control

  • Notes for the Auditor:

    Operational Process Control: Ensure documented information is maintained and controlled in line with the requirements of Clauses 8.1, 6.1, and 7.5.
    Risk-Based Planning: Confirm that contingency plans include roles, responsibilities, communication methods, and immediate action protocols.

Operational Planning

  • Has the organisation determined the requirements for products and services?

  • Examples: Product specifications, customer requirements documentation.

Establishing Criteria

  • Has the organisation established criteria for processes and the acceptance of products and services?

  • Examples: Process control plans, acceptance criteria documentation.

Resource Determination

  • Has the organisation determined the resources needed to ensure conformity to product and service requirements?

  • Examples: Resource planning documents, staffing and equipment plans.

Process Implementation and Control

  • Has the organisation implemented control of the processes according to the criteria, including documenting processes?

  • Examples: Process control records, standard operating procedures.

Maintaining Records

  • Does the organisation maintain documented information to demonstrate that processes have been carried out as planned and products meet their requirements?

  • Examples: Quality records, process logs.

Change Management

  • Does the organisation have a change management process to manage risks related to operational changes?

  • Examples: Change request forms, risk assessment documents.

Contingency Planning

  • Has the organisation established contingency plans that address roles, communication, and immediate actions in case of risks?

  • Examples: Contingency plans, disaster recovery plans.

8.2.1: Customer Communication

  • Notes for the Auditor:

    Customer Communication: Verify that customer communication processes are documented and that the organisation responds effectively to customer enquiries, feedback, and property handling.
    Requirement Definition: Ensure that the organisation clearly defines and documents both regulatory and customer-specific requirements for products and services.

Customer Information

  • Does the organisation provide necessary information relating to products and services to customers?

  • Examples: Product brochures, service agreements.

Handling Customer Enquiries

  • Does the organisation handle enquiries, contracts, or orders, including changes?

  • Examples: Customer service logs, contract management systems.

Customer Feedback

  • Does the organisation obtain customer feedback, including handling complaints?

  • Examples: Customer feedback forms, complaint management logs.

Handling Customer Property

  • Does the organisation handle or control customer property, if applicable?

  • Examples: Property control logs, equipment tracking.

Contingency Communication

  • Does the organisation establish specific communication for contingency actions, when necessary?

  • Examples: Emergency communication plans, customer notification records.

8.2.2: Determining the Requirements for Products and Services

  • Notes for the Auditor:

    Customer Communication: Verify that customer communication processes are documented and that the organisation responds effectively to customer enquiries, feedback, and property handling.
    Requirement Definition: Ensure that the organisation clearly defines and documents both regulatory and customer-specific requirements for products and services.

Requirement Identification

  • Has the organisation determined the requirements for products and services, ensuring they are defined, including statutory and regulatory requirements?

  • Examples: Regulatory compliance records, statutory requirement documentation.

Claims Management

  • Does the organisation ensure it can meet the claims for the products and services it offers?

  • Examples: Product specification documents, service level agreements (SLAs).

8.2.3: Review of the Requirements for Products and Services

  • Notes for the Auditor:

    Customer Requirement Reviews: Ensure that all requirements, both explicit and implicit, are reviewed before acceptance and that any changes are communicated and documented.
    Documented Review Procedures: Verify that there are documented procedures and records demonstrating the organisation’s ability to meet customer, statutory, and regulatory requirements.

Ability to Meet Requirements

  • Has the organisation ensured that it has the ability to meet the requirements for products and services to be offered to customers?

  • Examples: Contract reviews, order confirmation records.

Customer-Specified Requirements

  • Has the organisation reviewed customer-specified requirements, including those for delivery and post-delivery activities?

  • Examples: Customer contracts, delivery schedules.

Unstated Customer Requirements

  • Does the organisation review requirements not stated by the customer but necessary for the intended use?

  • Examples: Risk assessments, product specification documents.

Statutory and Regulatory Requirements

  • Has the organisation reviewed statutory and regulatory requirements applicable to the products and services?

  • Examples: Compliance checklists, legal requirement documentation.

Order and Contract Changes

  • Does the organisation review contract or order requirements that differ from those previously expressed?

  • Examples: Contract amendments, order change forms.

Customer Communication

  • Has the organisation communicated with the customer to confirm their requirements before acceptance, when the customer does not provide a documented statement of requirements?

  • Examples: Customer emails, meeting minutes.

Documented Information for Review

  • Does the organisation maintain documented information defining the process for reviewing the requirements for products and services?

  • Examples: Review logs, documented procedures for order reviews.

8.2.4: Changes to Requirements for Products and Services

  • Notes for the Auditor:

    Customer Requirement Reviews: Ensure that all requirements, both explicit and implicit, are reviewed before acceptance and that any changes are communicated and documented.
    Documented Review Procedures: Verify that there are documented procedures and records demonstrating the organisation’s ability to meet customer, statutory, and regulatory requirements.

Changes to Requirements for Products and Services

  • Has the organisation ensured that relevant documented information is amended, and that relevant personnel are made aware of changed requirements when requirements for products and services are modified?

  • Examples: Change request logs, updated documentation.

8.3.1: General

  • Notes for the Auditor:

    Design Planning and Control: Ensure the design and development process is well-documented and managed, with clear responsibilities and verification activities.
    Customer Involvement: Verify that customers are involved in the design process, where applicable, and that their feedback is incorporated into design decisions.

Design and Development Process

  • Has the organisation established, implemented, and maintained a design and development process that is appropriate to ensure the subsequent provision of products and services?

  • Examples: Design and development plans, process flowcharts.

8.3.2: Design and Development Planning

  • Notes for the Auditor:

    Design Planning and Control: Ensure the design and development process is well-documented and managed, with clear responsibilities and verification activities.
    Customer Involvement: Verify that customers are involved in the design process, where applicable, and that their feedback is incorporated into design decisions.

Stage Determination

  • Has the organisation determined the stages and controls for design and development based on the nature, duration, and complexity of the activities?

  • Examples: Design stage plans, project timelines.

Resource Needs

  • Has the organisation determined internal and external resource needs for design and development?

  • Examples: Resource allocation plans, project staffing records.

Design Review Process

  • Does the organisation have a defined process for conducting design and development reviews, including applicable verification and validation activities?

  • Examples: Design review meeting minutes, validation reports.

Authority and Responsibility

  • Has the organisation defined responsibilities and authorities for the design and development process?

  • Examples: Responsibility matrices, role descriptions.

Customer Involvement

  • Is there a process in place to involve customers and users in the design and development process, when applicable?

  • Examples: Customer feedback logs, user involvement records.

Risk Management in Design

  • Has the organisation integrated risk management into the design and development process, considering both opportunities and risks?

  • Examples: Risk registers, risk analysis reports.

Control of Interfaces

  • Are interfaces between persons involved in the design and development process controlled to ensure proper communication and coordination?

  • Examples: Interface control documents, communication plans.

Design Documentation

  • Does the organisation maintain documented information demonstrating that design and development requirements have been met?

  • Examples: Design specifications, development logs.

8.3.3: Design and Development Inputs

  • Notes for the Auditor:

    Ensure that all design and development inputs are adequately documented, clear, and unambiguous. Conflicting inputs should be resolved before proceeding. Ensure statutory, regulatory, and industry standards are integrated into the design process. Documented evidence should be retained and periodically reviewed for adequacy and accuracy.

Functional and Performance Requirements

  • Has the organisation determined the functional and performance requirements essential for the types of products and services to be designed and developed?

  • Example: Product specifications should align with the customer’s needs, including operational parameters and service expectations.

Previous Design and Development Activities

  • Has the organisation considered information derived from previous similar design and development activities?

  • Example: Lessons learned from previous designs or development phases can help prevent recurring mistakes.

Statutory and Regulatory Requirements

  • Are statutory and regulatory requirements considered in the design and development inputs?

  • Example: Ensure compliance with local or international safety standards during the design process (e.g., environmental regulations).

Standards and Codes of Practice

  • Has the organisation considered standards or codes of practice it is committed to implementing?

  • Example: The design process should align with relevant industry standards (e.g., ISO, IEC).

Failure Consequences

  • Are potential consequences of failure due to the nature of products and services considered?

  • Example: Assessing risks related to product failure that could affect safety or performance in end-use conditions.

8.3.4: Design and Development Controls

  • Notes for the Auditor:

    Ensure that design reviews are documented and that verification and validation processes are robust. These activities should confirm that the design outputs align with the inputs and meet all functional and performance requirements. Retain records of all control activities, including any identified non-conformities and corrective actions taken.

Review and Verification

  • Are reviews conducted to evaluate the ability of the results of design and development to meet requirements?

  • Example: Design reviews should include cross-functional teams to ensure the product meets design criteria.

Verification Activities

  • Are verification activities conducted to ensure that the design and development outputs meet the input requirements?

  • Example: Functional tests should be performed to validate that product outputs align with initial design inputs.

Validation Activities

  • Are validation activities conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use?

  • Example: Prototype testing should simulate real-world conditions to validate the design before full-scale production.

8.3.5: Design and Development Outputs

  • Notes for the Auditor:

    Ensure that the outputs from the design process align with both input requirements and are suitable for the following processes, including manufacturing and delivery. Verify that specifications related to monitoring, measuring, and essential product characteristics are adequately documented.

Meeting Input Requirements

  • Does the organisation ensure that design and development outputs meet the input requirements?

  • Example: Specifications should address all customer needs and statutory/regulatory requirements.

Adequacy of Outputs for Subsequent Processes

  • Are design and development outputs adequate for the subsequent processes required for the provision of products and services?

  • Example: Ensure the design meets manufacturing, testing, and delivery requirements.

Monitoring and Measuring Requirements

  • Do design outputs specify any reference to monitoring and measuring requirements where appropriate?

  • Example: Include clear instructions for quality checks at each stage of the production process.

Characteristics of Products and Services

  • Do outputs specify the characteristics of products and services that are essential for their safe and proper provision?

  • Example: Product dimensions, tolerances, and environmental standards must be clearly defined.

8.3.6: Design and Development Changes

  • Notes for the Auditor:

    Verify that all changes to the design and development process are properly reviewed, authorised, and documented. Ensure the organisation retains records that demonstrate how changes were managed and assessed for their potential impact on product conformity.

Review of Changes

  • Does the organisation identify, review, and control changes made during or subsequent to the design and development of products and services?

  • Example: Ensure that design modifications due to unforeseen issues are evaluated and authorised.

Authorisation of Changes

  • Are the changes authorised, and is their impact on conformity to requirements assessed?

  • Example: Any changes in materials, specifications, or methods must be approved by relevant stakeholders.

Retention of Documented Information

  • Is documented information on design and development changes, including reviews, retained?

  • Example: Maintain a record of all design alterations for traceability.

8.4.1: General

  • Notes for the Auditor:

    Ensure that documented processes are in place for evaluating and selecting external providers. Confirm that records of supplier evaluations, including monitoring, are maintained and regularly reviewed. Verify that all externally provided processes and products meet the organisation’s requirements before use.

Conformance of Externally Provided Products, Processes, and Services

  • Does the organisation ensure that externally provided processes, products, and services conform to its requirements?

  • Example: Contracts or purchase orders should clearly outline the requirements to be met by external providers.

Determining Controls for External Providers

  • Has the organisation determined the controls to be applied when products and services are sourced externally for incorporation into its products and services?

  • Example: The organisation should have a defined supplier evaluation process to assess their ability to meet quality, safety, and regulatory requirements.

Selection, Monitoring, and Re-Evaluation of Providers

  • Does the organisation determine and apply criteria for the selection, monitoring, and re-evaluation of external providers?

  • Example: Regular supplier audits, quality performance reviews, and corrective action follow-ups.

8.4.2: Type and Extent of Control

  • Notes for the Auditor:

    Check that there are clear and documented processes for defining the type and extent of controls applied to external providers. These should include risk assessments, performance monitoring, and defined verification steps. Ensure that the effectiveness of controls is regularly evaluated and any identified risks are addressed.

Control of External Processes

  • Does the organisation ensure that externally provided processes remain under its control within the quality management system?

  • Example: The organisation should have oversight over critical suppliers, such as by conducting quality checks or validation tests on incoming materials.

Controls for External Providers and Resulting Outputs

  • Has the organisation defined the controls it intends to apply to external providers and the resulting outputs?

  • Example: Requirements for inspections, testing, and acceptance criteria of products provided by suppliers should be established.

Consideration of Impact and Controls

  • Does the organisation take into account the impact of externally provided processes, products, and services on its ability to meet customer and statutory/regulatory requirements?

  • Example: Supplier risk assessments should be carried out for critical materials and processes.

8.4.3: Information for External Providers

  • Notes for the Auditor:

    Ensure that external providers are fully informed of the organisation’s requirements, including product specifications, delivery schedules, and performance expectations. Verify that the organisation has processes in place to monitor and control the performance of external providers. Documented communication records should be reviewed to ensure transparency and compliance.

Adequacy of Requirements

  • Has the organisation ensured that adequate requirements are communicated to external providers before processes, products, or services are provided?

  • Example: Suppliers should be informed of necessary qualifications, testing standards, and the acceptance criteria for products delivered.

Communication to External Providers

  • Does the organisation communicate to external providers the specific requirements related to the processes, products, and services to be provided, including any approval processes?

  • Example: Suppliers should be informed of necessary qualifications, testing standards, and the acceptance criteria for products delivered.

Monitoring and Control of Provider Performance

  • Does the organisation communicate the control and monitoring processes that will apply to external providers’ performance?

  • Example: Regular performance reviews, quality scorecards, and feedback mechanisms should be in place.

8.5.1: Control of Production and Service Provision

  • Notes for the Auditor:

    Verify that all production and service processes are documented and controlled. Check that resources, including equipment and personnel, are adequate and competent for the tasks. Confirm that the organisation has maintained records of product releases and any necessary post-delivery support activities.

Documented Information Availability

  • Does the organisation have documented information that defines the characteristics of products and services to be provided?

  • Example: Documented work instructions, process flow charts, and job descriptions.

Monitoring and Measuring Resources

  • Are suitable monitoring and measuring resources available and used to verify product and service conformity?

  • Example: Calibration records of measuring devices, documented inspection procedures.

Competence of Personnel

  • Does the organisation ensure that competent personnel, including qualified operators, are available for production and service provision?

  • Example: Employee training records, certifications, or qualification exams.

Competence of Personnel

  • Does the organisation ensure that competent personnel, including qualified operators, are available for production and service provision?

  • Example: Employee training records, certifications, or qualification exams.

Release and Post-Delivery Activities

  • Are processes in place for the release of products or services, as well as post-delivery activities, as needed?

  • Example: Finished product inspection reports, customer feedback tracking, and corrective actions.

8.5.2: Identification and Traceability

  • Notes for the Auditor:

    Confirm that the organisation has procedures in place for identifying products and services throughout production. Traceability should be established for key materials and parts, especially where it is a regulatory or customer requirement. Check records of traceability, such as serial numbers and inspection results.

Identification of Outputs

  • Does the organisation identify outputs when it is necessary to ensure conformity to requirements?

  • Example: Labelling of materials, part numbers, and identification tags for traceability.

Status Identification

  • Does the organisation identify the status of outputs with respect to monitoring and measuring requirements?

  • Example: Use of status labels such as “approved,” “rejected,” or “in-process.”

Unique Identification for Traceability

  • Where traceability is a requirement, does the organisation control the unique identification of outputs and maintain relevant documented information?

  • Example: Batch numbers, serial numbers, or job cards to track the production process.

8.5.3: Property Belonging to Customers or External Providers

  • Notes for the Auditor:

    Check how the organisation manages customer and external provider property. Verify that there are processes for identifying, protecting, and returning such property and that any incidents of damage or loss are recorded and communicated to the customer.

Identification and Protection of Customer Property

  • Does the organisation exercise care with customer or external provider property, identifying, verifying, protecting, and safeguarding it as required?

  • Example: Handling customer-provided materials like tools, components, or intellectual property.

Action When Customer Property is Damaged

  • Does the organisation report to the customer when their property is lost, damaged, or unsuitable for use, and maintain documented information on what has occurred?

  • Example: Incident reports or customer notification records.

8.5.4: Preservation

  • Notes for the Auditor:

    Review the organisation’s preservation processes, especially for products that are sensitive to environmental conditions or handling. Confirm that there are adequate controls for packaging, storage, and transport to prevent deterioration. Preservation methods should be clearly defined and monitored to ensure effectiveness.

Preservation Methods

  • Does the organisation ensure that preservation methods, including environmental controls and packaging, are adequate to maintain product conformity throughout production and delivery?

  • Example: Products stored in climate-controlled environments, protected packaging to prevent damage.

Control of Preservation Processes

  • Are the organisation’s preservation processes documented, and do they define the methods used to prevent deterioration of products?

  • Example: Procedures outlining how to handle fragile or perishable materials, such as using desiccants or protective casings.

Delivery Controls

  • Does the organisation control the conditions during delivery, ensuring that conformity to product requirements is maintained until the customer receives the product?

  • Example: Temperature control during shipping or ensuring that packaging is durable for transport.

8.5.5: Post-Delivery Activities

  • Notes for the Auditor:

    Check that the organisation has defined post-delivery activities, such as warranties and maintenance, based on customer needs, regulatory requirements, and potential risks. Review customer feedback records and any reports of after-sales support or services provided.

Post-Delivery Requirements

  • Does the organisation meet requirements for post-delivery activities associated with the products and services?

  • Example: Provision of maintenance services, warranty obligations, and spare parts availability.

Consideration of Statutory and Regulatory Requirements

  • Does the organisation consider statutory and regulatory requirements when determining post-delivery activities?

  • Example: Compliance with industry-specific laws such as product recalls or safety bulletins.

Customer Feedback and Potential Risks

  • Does the organisation assess customer feedback and potential undesired consequences to define post-delivery activities?

  • Example: Customer satisfaction surveys, handling product returns, or repairs.

8.5.6: Control of Changes

  • Notes for the Auditor:

    Verify that changes in production or service provision are controlled and reviewed to ensure they meet customer and regulatory requirements. Review records of changes, approvals, and risk assessments to ensure changes were properly documented and authorised.

8.5.6: Control of Changes

  • Does the organisation review and control changes to production or service provision to ensure conformity with requirements?

  • Example: Documented change management procedures, change review meetings.

Documentation of Changes

  • Does the organisation retain documented information on the review of changes, including authorisation and actions taken?

  • Example: Change request forms, approved change orders, and records of actions.

8.6: Release of Products and Services

  • Notes for the Auditor:

    Ensure that all products and services are released only after verification of conformity to specified requirements. Review evidence of final inspections and the documentation that shows who authorised the release.

Verification of Conformity Before Release

  • Does the organisation implement planned arrangements to verify that product and service requirements have been met before release?

  • Example: Inspection reports, final product testing, quality control records.

Documented Evidence for Product Release

  • Does the organisation retain documented information that provides evidence of conformity with acceptance criteria and traceability to the person authorising the release?

  • Example: Signed-off inspection sheets, records of product conformity.

8.7.1: Control of Nonconforming Outputs

  • Notes for the Auditor:

    Review how nonconforming outputs are controlled and documented. Ensure the organisation takes appropriate actions, such as correction, rework, or disposal, and that customer or regulatory approvals are obtained when required.

Control and Identification of Nonconforming Products

  • Does the organisation ensure that nonconforming products are identified and controlled to prevent unintended use or delivery?

  • Example: Segregation areas for nonconforming materials, quarantine tags.

Appropriate Action for Nonconformance

  • Does the organisation take appropriate action based on the nature of the nonconformity and its effect on the product or service?

  • Example: Correction, rework, or scrapping of nonconforming products.

undefined

8.7.2: Documentation of Nonconformities

  • Notes for the Auditor:

    Verify that all nonconforming outputs are recorded, including the actions taken to resolve them. Ensure that the documentation describes the nature of the nonconformity, actions for correction, and any decisions about concessions.

Documenting Nonconformity Actions

  • Does the organisation retain documented information that describes the nonconformity, actions taken, and any concessions granted?

  • Example: Nonconformance reports (NCRs), corrective action forms.

9.1: Monitoring, Measurement, Analysis, and Evaluation

  • Notes for the Auditor:

    Verify that the organisation has documented and implemented processes for monitoring, measuring, analysing, and evaluating data related to product quality and system effectiveness. Review records to confirm that monitoring is performed consistently and that results are analysed to identify improvement opportunities.

Monitoring and Measurement Determination

  • Has the organisation determined what needs to be monitored and measured to ensure the effectiveness of the quality management system?

  • Example: Monitoring production process efficiency, measuring product conformity to specifications.

Methods for Monitoring and Measurement

  • Are methods defined for monitoring, measurement, analysis, and evaluation to ensure valid results?

  • Example: Statistical Process Control (SPC), customer satisfaction surveys.

Timing of Monitoring and Measurement

  • Has the organisation defined when monitoring and measuring shall be performed?

  • Example: Weekly product inspections, monthly performance reviews.

Analysis and Evaluation of Monitoring Results

  • Does the organisation analyse and evaluate the results from monitoring and measurement?

  • Example: Analysis of scrap rates, defect trends, and corrective action reports.

Retention of Documented Information

  • Does the organisation retain documented information as evidence of monitoring and measurement results?

  • Example: Quality reports, monitoring logs, performance dashboards.

9.1.2: Customer Satisfaction

  • Notes for the Auditor:

    Review the organisation's customer feedback collection processes to ensure they are comprehensive and systematic. Check how customer feedback is analysed and whether the results are used to drive improvements.

Monitoring Customer Perceptions

  • Does the organisation monitor customer perceptions regarding the extent to which their needs and expectations have been fulfilled?

  • Example: Customer satisfaction surveys, feedback forms.

Methods for Collecting Customer Feedback

  • Has the organisation determined methods for obtaining, monitoring, and reviewing customer feedback?

  • Example: Direct customer feedback, complaints management systems.

Documented Information on Customer Satisfaction

  • Does the organisation maintain documented information on the processes used to measure customer satisfaction?

  • Example: Summary reports from customer surveys, complaint resolution logs.

9.1.3: Analysis and Evaluation

  • Notes for the Auditor:

    Ensure the organisation has processes in place for analysing data related to product conformity, process effectiveness, and customer satisfaction. Review records of data analysis and verify that results are used to evaluate the QMS and identify areas for improvement.

Analysis of Data and Information

  • Does the organisation analyse and evaluate appropriate data arising from monitoring and measurement activities?

  • Example: Analysis of quality trends, process performance indicators, and supplier performance metrics.

Use of Analysis Results

  • Are the results of analysis used to evaluate conformity of products and services?

  • Example: Evaluation of rejected products, customer returns.

  • Are the results of analysis used to evaluate customer satisfaction?

  • Example: Trends in customer satisfaction survey results

  • Are the results of analysis used to evaluate effectiveness of the QMS?

  • Example: QMS audit findings, corrective actions implemented.

  • Are the results of analysis used to evaluate effectiveness of actions taken to address risks and opportunities?

  • Example: Risk management reports, effectiveness of preventive actions.

Documented Information for Analysis Process

  • Does the organisation maintain documented information that defines the process for identifying, collecting, and analysing data to demonstrate the suitability and effectiveness of the quality management system?

  • Example: Internal audit reports, management review minutes, performance data analyses.

9.2.1: General

  • Notes for the Auditor:

    Check that the audit programme is well-established and includes all relevant areas and processes. Ensure that internal audits are carried out at planned intervals, and that audit findings are reviewed and acted upon promptly.

Conformance to QMS and ISO 9001 Requirements

  • Does the internal audit assess whether the quality management system (QMS) conforms to the organisation’s requirements for its QMS?

  • Example: Internal procedures, quality policies, and manuals.

  • Does the internal audit assess whether the quality management system (QMS) conforms to the requirements of ISO 9001?

  • Example: Compliance with clauses such as product realisation, customer satisfaction, and continual improvement.

Implementation and Maintenance of QMS

  • Does the audit check if the QMS is effectively implemented and maintained?

  • Example: Review of process effectiveness, performance of corrective actions, evidence of continual improvement.

9.2.2: Internal Audit Programme

  • Notes for the Auditor:

    Check that the audit programme is well-established and includes all relevant areas and processes. Ensure that internal audits are carried out at planned intervals, and that audit findings are reviewed and acted upon promptly.

Audit Programme and Planning

  • Has the organisation established and maintained an audit programme(s) that includes frequency, methods, responsibilities, planning, and reporting?

  • Example: Annual audit schedules, defined audit scope, and auditor assignments.

Audit Criteria and Scope

  • Does the organisation define audit criteria and the scope for each audit?

  • Example: Scope limited to specific departments, criteria based on internal standards and ISO 9001 requirements.

Selection of Auditors and Objectivity

  • Are auditors selected to ensure objectivity and impartiality?

  • Example: Auditors are independent of the area being audited, use of external auditors for critical processes.

Audit Reporting and Corrective Actions

  • Are audit results reported to relevant management and corrective actions taken without delay?

  • Example: Audit findings communicated to department heads, timely corrective action plans.

Retention of Audit Records

  • Does the organisation retain documented information as evidence of the implementation of the audit programme and the audit results?

  • Example: Audit reports, records of corrective actions, audit schedules.

9.3.1: General

  • Notes for the Auditor:

    Ensure that management reviews are conducted regularly and cover all necessary inputs. Check that actions from management reviews are tracked, and that decisions on resource allocation and improvements are documented.

Planned Management Reviews

  • Does top management review the QMS at planned intervals to ensure its continuing suitability, adequacy, effectiveness, and alignment with the strategic direction?

  • Example: Quarterly management reviews focused on aligning quality objectives with business goals.

9.3.2: Management Review Inputs

  • Notes for the Auditor:

    Ensure that management reviews are conducted regularly and cover all necessary inputs. Check that actions from management reviews are tracked, and that decisions on resource allocation and improvements are documented.

Status of Previous Actions

  • Are actions from previous management reviews included in the review input?

  • Example: Review of open corrective actions, status of previous improvement initiatives.

Changes in Internal and External Issues

  • Are changes in internal and external issues relevant to the QMS considered during the review?

  • Example: New regulatory requirements, changes in market conditions.

Trends in Customer Satisfaction and Feedback

  • Are trends in customer satisfaction and feedback from interested parties reviewed?

  • Example: Declining customer satisfaction survey scores, increased customer complaints.

Review of Nonconformities and Corrective Actions

  • Are nonconformities and the effectiveness of corrective actions reviewed?

  • Example: Analysis of recurring nonconformities, effectiveness of corrective measures implemented.

Performance and Conformity of Products and Services

  • Is the performance and conformity of products and services reviewed?

  • Example: Review of delivery performance, conformity to product specifications.

Adequacy of Resources

  • Is the adequacy of resources for maintaining the QMS reviewed?

  • Example: Need for additional quality personnel, allocation of resources for training.

Review of Risks and Opportunities

  • Are the effectiveness of actions taken to address risks and opportunities reviewed?

  • Example: Review of risk mitigation actions, identification of new improvement opportunities.

9.3.3: Management Review Outputs

  • Notes for the Auditor:

    Ensure that management reviews are conducted regularly and cover all necessary inputs. Check that actions from management reviews are tracked, and that decisions on resource allocation and improvements are documented.

Opportunities for Improvement

  • Does the management review identify opportunities for improvement?

  • Example: Introduction of new product lines, process optimisation suggestions.

Need for Changes to QMS

  • Are decisions made regarding the need for changes to the QMS?

  • Example: Revision of procedures, changes in quality objectives.

Resource Needs

  • Are resource needs identified during the management review?

  • Example: Budget approvals for new equipment, need for additional training.

Retention of Documented Information

  • Does the organisation retain documented information as evidence of the results of management reviews?

  • Example: Meeting minutes, action plans from management reviews.

10: Improvement

  • Notes for the Auditor:

    Ensure that there are well-documented actions aimed at improving both customer satisfaction and the effectiveness of the QMS. Look for evidence of proactive improvements rather than just reactive fixes.

Identifying Opportunities for Improvement

  • Has the organisation determined and selected opportunities for improvement?

  • Example: Identifying process inefficiencies, customer feedback analysis for potential enhancements.

Actions for Meeting Customer Requirements

  • Are actions implemented to meet customer requirements and enhance satisfaction?

  • Example: Modifying products or services to align with customer expectations, offering additional support.

Correcting Undesired Effects

  • Does the organisation implement actions to correct, prevent, or reduce undesired effects?

  • Example: Implementing corrective actions after product defects or customer complaints.

Improving the QMS Performance and Effectiveness

  • Are actions taken to improve the performance and effectiveness of the QMS?

  • Example: System-wide updates, process optimisations, or automation to improve performance.

Types of Improvements

  • Does the organisation use methods such as correction, corrective actions, continual improvement, innovation, or re-organisation?

  • Example: Introducing lean management practices or breakthrough technology.

10.2: Nonconformity and Corrective Action

  • Notes for the Auditor:

    Ensure that nonconformities are systematically recorded and addressed. Pay attention to whether root cause analysis is conducted thoroughly and corrective actions are implemented effectively.

Response to Nonconformities

  • When nonconformities occur, does the organisation react to them by taking action to control and correct them?

  • Example: Immediate correction of a non-conforming product by recalling or reworking.

Preventive Action to Avoid Recurrence

  • Are actions taken to evaluate the need for eliminating causes to prevent recurrence?

  • Example: Root cause analysis after incidents of nonconformity, followed by preventive measures.

Reviewing and Analysing Nonconformity

  • Does the organisation review and analyse the nonconformity to determine the causes and whether similar nonconformities exist?

  • Example: Conducting a fishbone or 5-why analysis to identify the root cause.

Effectiveness of Corrective Actions

  • Is the effectiveness of any corrective actions reviewed?

  • Example: Tracking the implementation of corrective actions and their impact over time.

Updating Risks and Opportunities

  • Are risks and opportunities updated during planning based on the nonconformity review?

  • Example: Revising the risk register to reflect newly identified risks or improvements.

Making Changes to the QMS

  • Are changes to the QMS made, if necessary, following the evaluation of nonconformities?

  • Example: Adjusting procedures or introducing new control measures based on findings.

Retention of Records

  • Does the organisation retain documented information as evidence of the nature of nonconformities and any corrective actions taken?

  • Example: Nonconformity logs, corrective action records, and reports.

10.3: Continual Improvement

  • Notes for the Auditor:

    Look for continual improvement as a regular part of the organisation's operations, not just in response to problems. Ensure that all improvements are supported by data and managed through the appropriate channels.

Suitability, Adequacy, and Effectiveness of the QMS

  • Does the organisation continually improve the suitability, adequacy, and effectiveness of its QMS?

  • Example: Regular reviews of QMS processes, incorporating feedback from audits and performance data.

Using Results from Analysis and Evaluation

  • Are the results from analysis, evaluation, and management review considered to identify needs or opportunities for improvement?

  • Example: Using KPI data, audit findings, and customer feedback to drive improvements.

Implementing Improvements through Change Management

  • Are improvements implemented through a proper change management process?

  • Example: Ensuring process changes follow a formal change management procedure.

Retention of Records

  • Is documented information retained to demonstrate the effectiveness of the continual improvement process?

  • Example: Records of improvement initiatives, process updates, and changes made based on review outcomes.

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.